[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

Igor Shmukler wrote:
Seems to me that not many know how to write ACLs for OpenLDAP.

It's not that hard for your case.

See relevant building blocks from


attached below.

As user root you can then write cn=config and dc=example,dc=com and initialize the data. The group cn=slapd admins,ou=groups,dc=example,dc=com can read cn=config and manage dc=example,dc=com.

You alter by-clause for cn=config

  by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage

to let this group also write to cn=config.

I spend some time creating this public example config. There's no way around learning a bit more though. You should read and understand the example which takes less time than writing so many list postings and wait for detailed answers. But please understand I don't have the time to help in every detail.

Ciao, Michael.

--------------------- snip ---------------------


# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases


# cn=config // Configuration database (always first!)
# see slapd-config(5)

database config

# Cleartext passwords, especially for the rootdn, should
# be avoid!  See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret

access to
    by dn.exact="cn=root,dc=example,dc=com" manage
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
    by * none


# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)

database mdb

suffix "dc=example,dc=com"


# Catch-all ACL for the rest
access to
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
    by self read
    by users read
    by * auth

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature